CRA cyberattacks: A prime example of credential stuffing

It has become a much "bigger deal during the COVID scam era"

CRA cyberattacks: A prime example of credential stuffing


By Bethan Moorcraft

The Canadian Revenue Agency (CRA) was forced to temporarily shut down its online services on August 14 after two cyberattacks compromised the personal data of 5,500 Canadians.

The attack hit Canada where it hurts the most, halting access to critical financial support that many Canadians have relied on to weather the COVID-19 pandemic. It was discovered after some Canadians found several details of their CRA account were changed without their knowledge. Others reported that their email and direct deposit information had been changed, while some that CERB payments had been issued in their name even though they had not applied for the benefit.

The CRA confirmed the attack, stating that the agency “quickly identified the impacted accounts and disabled access to these accounts to ensure the safety and security of taxpayer’s information.” Specifically, the CRA disabled online services on its website, barring access to the My Account, My Business Account, and Represent a Client options. All online services were reactivated on August 19.

A spokesperson for the agency released a statement on reactivating the online services, saying: “The CRA sincerely regrets the impact that these cyber security incidents have had on Canadians. CRA personnel, and our partners, have quite literally been working around the clock to combat the recent attacks, to make sure Canadians’ personal information is safe, and to restore access to services on which Canadians rely.”

It is believed the CRA attacks stemmed from what is known as credential stuffing – when cyber criminals steal account credentials, such as usernames, email addresses and corresponding passwords, and then use those credentials to gain unauthorized access to other user accounts. They also sell the credentials on the dark web for other criminals to take a stab at.

“Credential stuffing has become an even bigger deal during the COVID scam era,” said Adam Levin, chairman and founder of CyberScout, a global provider of cybersecurity and identity protection solutions. “Since January, it’s estimated that COVID-related scams have increased by way over 30,000%. When you set the scene, we’re dealing with a pandemic that has enormous health and economic repercussions for millions of people worldwide. As such, there’s been almost maniacal focus on COVID-19, and there’s an expectation by the public that they will be receiving regular updates and communication from businesses, from unemployment compensation organizations, from government benefits agencies, from tax departments and so on. When they did receive such communication, people had a tendency to be more forthcoming with their information, because they were so desperate to get assistance.

“Combine that with the fact that breaches have become the third certainty in life behind death and taxes, and that social media has caused people to overshare to a level that is unprecedented. Then take all of that information, mix it together, get it into the hands of hackers, scammers and identity thieves, have it available for sale on the dark web (in some cases for pennies on the dollar), and this is the environment that we’re facing.”

One of the simplest ways to protect yourself against credential stuffing is to practice good password management, which means changing the password every 60 to 90 days, and ideally using some form of encryption tool. As Levin explained, the word ‘password’ is not a password, and neither is 123456 or 109876. Even when people claim to create the most indecipherable password, with letters, symbols, numbers, upper and lower case, and random grouping of words – if a website is breached and those passwords are available in plain text as opposed to being encrypted and hashed, then hackers will still be able to use that information. They will try that username and password combination through their victim’s entire universe of online accounts until they get a hit.

“That’s what happened with the CRA,” Levin added. “There have been billions of files breached in Canada over the past few years – mostly user IDs and passwords. Add people’s social insurance numbers onto that, along with other information that can be purchased on the dark web, and all of a sudden, hackers have all the tiles they need to piece together the mosaic of a human being, who they can then pretend to be.

“That’s pretty much how it happened here. The hackers got their hands on a load of credentials, and they were relentless until they were able to get through. And when they got through, they got into thousands of accounts and they changed the banking information and the email addresses. So, half the time, unless the consumer had some form of multi-factor authentication going on with the CRA, they would never receive an indication that their email address had been changed and they would never know that their bank information changed. Most people wouldn’t even know to go to the CRA because, until this pandemic occurred, they didn’t think about it apart from during tax season.”

Multiple cybersecurity experts, including Plurilock CEO Ian Paterson and eSentire vice-president and industry security strategist Mark Sangster, have called for the CRA to up its cybersecurity by enabling multi-factor authentication and implementing dark web monitoring in order to detect any compromised credentials. The CRA announced it is “continuing to analyze”the incidents, and has requested assistance from law enforcement to carry out its investigation.

Related Stories

Keep up with the latest news and events

Join our mailing list, it’s free!